The invention relates to a method to securely access systems of a distributed computer system by entering passwords, wherein some of the systems are accessible by equal, and some of the systems are accessible by different passwords.
Modern computer systems, particularly distributed computer systems as well as many applications and services are protected by passwords. Thereby the problem arises that users have too many passwords that expire at different points in time and have different password rules. Furthermore some systems enforce password rules wherein others do not. In general users often choose the same password for multiple systems in order to easily keep them in mind. Moreover users also often write down the passwords, which violates the basic security rules for passwords.
Forgotten passwords lead to a high helpdesk call rate involving high costs. About 30% of all helpdesk requests are password related.
An approach to solve the problem of managing multiple passwords is single sign on (SSO). SSO is a mechanism whereby a single action of user authentication and authorization can permit a user to access all computers, systems and/or multiple application components in a distributed application environment to which the user has access permission, without the need to enter multiple passwords.
Two categories of products supporting SSO are known. One is password synchronization, the other is database-based passwords with master password.
Products supporting password synchronization use one single password to access multiple systems. Password synchronization allows the user to change the password for multiple systems with a single user action. A disadvantage of password synchronization is that if the password gests in the hand of the wrong person all systems can be directly accessed by this person with this password. Due to this, password synchronization is insecure.
Products supporting database-based passwords with master password use a database to store multiple passwords for multiple systems. The user gets access to all systems by entering the master password, wherein the SSO product will lookup the correct password for a given system in the database. This database must therefore store the passwords with a two-way encryption in order to retrieve the passwords later in clear to authenticate the user. A disadvantage of such database-based passwords with master password is that the two-way encryption is insecure if the system passwords are stored in high secure products such as Resource Access Control Facility (RACF) with one-way encryption. Thereby one-way encryption is an algorithm, like e.g. Secure Hash Algorithm (SHA), that encodes a sequence of characters, like e.g. a password, in a way that it is not possible to write other algorithms to restore the original sequence of characters, wherein two-way encryption is an algorithm, like e.g. Data Encryption Standard (DES), that encodes a sequence of characters in a way that it is only possible to restore the original sequence of characters by the same algorithm. Again, if the master password gets in the hand of the wrong person then all systems can be accessed with this one password using the SSO product.
Because of the fact that SSO gives the users master password access to all systems, it is recommended to use smart cards, biometric scanners or both instead of a single master password. Some SSO products support such features.
Moreover commercial SSO products for the complete Information Technology (IT) infrastructure are very expensive and can lead to its own problems, such as the drawbacks mentioned above.